Class: Legion::Crypt::TokenRenewer

Inherits:

Object

Object
Legion::Crypt::TokenRenewer

show all

Includes:: Logging::Helper

Defined in:: lib/legion/crypt/token_renewer.rb

Constant Summary collapse

INITIAL_BACKOFF =

MAX_BACKOFF =

MIN_SLEEP =

RENEWAL_RATIO =

0.75

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Instance Attribute Summary collapse

#cluster_name ⇒ Object readonly

Returns the value of attribute cluster_name.

Instance Method Summary collapse

#initialize(cluster_name:, config:, vault_client:) ⇒ TokenRenewer constructor

A new instance of TokenRenewer.
#next_backoff ⇒ Object
#reauth_kerberos ⇒ Object
#renew_token ⇒ Object
#reset_backoff ⇒ Object
#running? ⇒ Boolean
#sleep_duration ⇒ Object
#start ⇒ Object
#stop ⇒ Object

Methods included from Logging::Helper

#handle_exception, #log

Constructor Details

#initialize(cluster_name:, config:, vault_client:) ⇒ `TokenRenewer`

Returns a new instance of TokenRenewer.

# File 'lib/legion/crypt/token_renewer.rb', line 18

def initialize(cluster_name:, config:, vault_client:)
  @cluster_name = cluster_name
  @config       = config
  @vault_client = vault_client
  @thread       = nil
  @stop         = false
  @backoff      = INITIAL_BACKOFF
end

Instance Attribute Details

#cluster_name ⇒ `Object` (readonly)

Returns the value of attribute cluster_name.



16
17
18

# File 'lib/legion/crypt/token_renewer.rb', line 16

def cluster_name
  @cluster_name
end

Instance Method Details

#next_backoff ⇒ `Object`

# File 'lib/legion/crypt/token_renewer.rb', line 93

def next_backoff
  current = @backoff
  @backoff = [@backoff * 2, MAX_BACKOFF].min
  current
end

#reauth_kerberos ⇒ `Object`

# File 'lib/legion/crypt/token_renewer.rb', line 62

def reauth_kerberos
  krb_config = @config[:kerberos] || {}
  result = Legion::Crypt::KerberosAuth.login(
    vault_client:      @vault_client,
    service_principal: krb_config[:service_principal],
    auth_path:         krb_config[:auth_path] || KerberosAuth::DEFAULT_AUTH_PATH
  )

  @config[:token]          = result[:token]
  @config[:lease_duration] = result[:lease_duration]
  @config[:renewable]      = result[:renewable]
  @config[:connected]      = true
  @vault_client.token      = result[:token]
  log.info("TokenRenewer[#{@cluster_name}]: re-authenticated via Kerberos, ttl=#{result[:lease_duration]}s")

  reissue_all_leases
  true
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'crypt.token_renewer.reauth_kerberos', cluster_name: @cluster_name)
  log.warn("TokenRenewer[#{@cluster_name}]: Kerberos re-auth failed: #{e.message}")
  false
end

#renew_token ⇒ `Object`

# File 'lib/legion/crypt/token_renewer.rb', line 50

def renew_token
  result = @vault_client.auth_token.renew_self
  @config[:lease_duration] = result.auth.lease_duration
  @config[:renewable] = result.auth.renewable? if result.auth.respond_to?(:renewable?)
  log.info("TokenRenewer[#{@cluster_name}]: token renewed, ttl=#{result.auth.lease_duration}s")
  true
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'crypt.token_renewer.renew_token', cluster_name: @cluster_name)
  log.warn("TokenRenewer[#{@cluster_name}]: token renewal failed: #{e.message}")
  false
end

#reset_backoff ⇒ `Object`



99
100
101

# File 'lib/legion/crypt/token_renewer.rb', line 99

def reset_backoff
  @backoff = INITIAL_BACKOFF
end

#running? ⇒ `Boolean`

Returns:

(Boolean)



46
47
48

# File 'lib/legion/crypt/token_renewer.rb', line 46

def running?
  @thread&.alive? == true
end

#sleep_duration ⇒ `Object`

# File 'lib/legion/crypt/token_renewer.rb', line 85

def sleep_duration
  lease_duration = @config[:lease_duration].to_i
  duration = [(lease_duration * RENEWAL_RATIO).to_i, 1].max
  return [duration, lease_duration - 1].min if lease_duration.positive? && lease_duration < MIN_SLEEP

  [duration, MIN_SLEEP].max
end

#start ⇒ `Object`

# File 'lib/legion/crypt/token_renewer.rb', line 27

def start
  return if running?

  @stop = false
  @thread = Thread.new { renewal_loop }
  @thread.name = "vault-renewer-#{@cluster_name}"
  log.info("TokenRenewer[#{@cluster_name}]: token renewal thread started")
end

#stop ⇒ `Object`

# File 'lib/legion/crypt/token_renewer.rb', line 36

def stop
  @stop = true
  @thread&.wakeup
rescue ThreadError => e
  handle_exception(e, level: :debug, operation: 'crypt.token_renewer.stop', cluster_name: @cluster_name)
  nil
ensure
  stop_thread_and_revoke
end

Class: Legion::Crypt::TokenRenewer

Constant Summary collapse

Constants included from Logging::Helper

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Logging::Helper

Constructor Details

#initialize(cluster_name:, config:, vault_client:) ⇒ TokenRenewer

Instance Attribute Details

#cluster_name ⇒ Object (readonly)

Instance Method Details

#next_backoff ⇒ Object

#reauth_kerberos ⇒ Object

#renew_token ⇒ Object

#reset_backoff ⇒ Object

#running? ⇒ Boolean

#sleep_duration ⇒ Object

#start ⇒ Object

#stop ⇒ Object

#initialize(cluster_name:, config:, vault_client:) ⇒ `TokenRenewer`

#cluster_name ⇒ `Object` (readonly)

#next_backoff ⇒ `Object`

#reauth_kerberos ⇒ `Object`

#renew_token ⇒ `Object`

#reset_backoff ⇒ `Object`

#running? ⇒ `Boolean`

#sleep_duration ⇒ `Object`

#start ⇒ `Object`

#stop ⇒ `Object`